I’m wondering how the redirect_uri that can be included as a query parameter to the execute-actions-email admin endpoint is related to the redirect_uri entries for the OAuth2 client.
For the execute-actions-email endpoint, I would like to enter a redirect_uri that points to the “home page” of the application, typically something along the lines of https://application.tld/index.html.
A redirect_uri for the OAuth2-client, on the other hand, is the callback URL that the Authorization Server (Keycloak, in our case), redirects the browser to with the authorization code, in order to complete the OAuth2 code flow. Typically, this is something like https://application.tld/oauth2/callback or similar. This is not the “home page” of the application. Instead, it is expected that the client performs the last steps of the OAuth code flow, and subsequently redirects the browser to the “home page” (or some other entry point of the application, e.g. a deep link).
Calling the OAuth2 callback URL outside of an authorization code flow typically results in some error (e.g. 403 Unauthorized).
As a consequence, if I want to include a link to the app in the password reset form, I need to include the home page of the app as redirect_uri in the OAuth2 client, although during the OAuth2 code flow there will never be a redirect to that URI (it would not work, anyway, since in general the “home page” of the app is not capable to trade the authorization code for an access token).
This is not desirable, since OAuth2 redirect_uris should be as narrow as possible
To me, this seems like mixing two unrelated concepts under the name of redirect_uri.
Am I mistaken here?